First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Costco reports a material weakness in internal control. But is it really?

material weaknessIn a news release on October 4th, Costco Wholesale announced its operating results for the 4th quarter and full year ended September 2nd.

In that release, it stated:

While the Company is still completing its assessment of the effectiveness of its internal control over financial reporting as of September 2, 2018, in its upcoming fiscal 2018 Annual Report on Form 10-K, it expects to report a material weakness in internal control. The weakness relates to general information technology controls in the areas of user access and program change-management over certain information technology systems that support the Company’s financial reporting processes. The access issues relate to the extent of privileges afforded users authorized to access company systems. As of the date of this release, there have been no misstatements identified in the financial statements as a result of these deficiencies, and the Company expects to timely file its Form 10-K.

Remediation efforts have begun; the material weakness will not be considered remediated until the applicable controls operate for a sufficient period of time and management has concluded, through testing, that these controls are operating effectively. The Company expects that the remediation of this material weakness will be completed prior to the end of fiscal year 2019.

This information is surprising on many fronts.

For a start, it is rare these days for a company to determine that it has a material weakness related to IT general controls (ITGC).

Let me explain why it is rare, and why I personally question whether management got this right.

A material weakness is defined by the PCAOB Auditing Standard No. 5 (now renumbered as AS No. 2201) as:

“.. a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis”.

Let’s start with what would constitute a material misstatement of Costco’s financials.

Their full year pre-tax net income, according to the release, is just over $4 billion. Materiality is generally 5% of pre-tax net income, which in this case would be $200 million.

It is very hard to envisage a situation where a $200 million error would not be noticed.

To meet the threshold for a material weakness, there has to be “a reasonable possibility” that a $200 million misstatement would not be prevented or detected on a timely basis.

Is there a reasonable possibility that defects in “user access and program change-management” could lead to a $200 million error that is undetected by other controls, such as comparisons of actual to forecast, margin analysis, and so on?

In the early years of SOX compliance, ITGC control failures were among the top sources of material weaknesses (the others were tax treatments and the organization’s knowledge of accounting rules).

But while ITGC control deficiencies continue to be present, it is unusual to see them disclosed as material weaknesses.

The reasons are fairly clear: ITGC deficiencies do not have a direct effect on the financial statements. They simply indicate that the automated controls, or the IT-dependent elements of other controls, may not operate consistently as they should.

Costco has not disclosed any failures of such automated controls or the IT-dependent elements of other controls, and they should if they existed. Neither have they disclosed any accounting errors that flowed from such deficiencies.

If I was on the board of Costco, I would be asking how these control deficiencies might lead to a $200 million misstatement of the annual financials (or a $70 million error in the 4th quarter, when pre-tax net income was $1.4 billion).

It is difficult for me to imagine how that could occur. I may be wrong, but I suspect their audit firm, KPMG, insisted that these deficiencies be categorized as material weaknesses.

Calling these material weaknesses does not seem reasonable to me.

What else surprised me?

They are saying that they will have corrected these deficiencies within one year.

Assuming that they truly are material weaknesses, how can it be acceptable to wait a full year to get them fixed?

How can the market rely on their quarterly reports if the system of internal control is deemed ineffective for that period?

I would not accept that as a board member, an investor, or a regulator!

Finally, the company concluded in its prior quarterly report that its disclosure controls and procedures (which include its internal control over financial reporting) was effective.

If these were in fact material weaknesses (which I doubt), then the question arises as to when management became aware of them – or should have been aware of them. If that predates the 3rd quarter 10-Q, the company may have a problem.

I have to wonder whether companies and their auditors fully understand the principles of SOX compliance and what AS5 actually says!

I teach SOX compliance efficiency and effectiveness to SOX program managers (and their equivalents, such as internal audit management). In my experience, the great majority of companies are doing too much (and the wrong) work and the external audit firms have lost touch with the principles of the top-down and risk-based approach mandated by the PCAOB.

I welcome your views.

By the way, Costco shares lost 4% following the news release. It is not clear how much should be attributed to the material weakness disclosure.

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

, , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.